All news with #mfa tag

Akira Ransomware Reuses Critical SonicWall SSLVPN Bug

🔒 The Akira ransomware gang is actively exploiting CVE-2024-40766 to target unpatched SonicWall SSL VPN endpoints and gain unauthorized network access. SonicWall released a patch in August 2024 and warned that exposed credentials could allow attackers to configure MFA or TOTP and bypass protections. Administrators should apply the vendor update, rotate local SSLVPN passwords, enforce MFA, mitigate Default Group risks, and restrict Virtual Office Portal access.

Akira Exploits SonicWall SSL VPN Flaw and LDAP Settings

🔒 Rapid7 and SonicWall report a surge in intrusions tied to the Akira ransomware group exploiting a year-old SSL VPN vulnerability, CVE-2024-40766 (CVSS 9.3), and LDAP misconfigurations that retained local passwords during migrations. Attackers are brute-forcing credentials, abusing SonicWall's Virtual Office defaults to enable mMFA/TOTP, and using loaders like Bumblebee to deploy AdaptixC2 and persistent tools. SonicWall urges rotating local accounts, enabling Botnet Filtering and Account Lockout, enforcing MFA, restricting Virtual Office access, and reviewing LDAP default groups.

How Cybercriminals Bypass Logins Using Stolen Credentials

🔐 Cybercriminals increasingly target corporate credentials, authentication tokens and session cookies to bypass MFA and impersonate legitimate users. Stolen credentials accounted for a large share of recent breaches and estimates indicate billions of credentials were exposed in 2024. Organizations can reduce risk with Zero Trust, robust MFA, realistic training and continuous behavioral monitoring to detect suspicious sessions.

Salty2FA Phishing Framework Evades MFA Using Turnstile

🔒 A newly identified phishing-as-a-service called Salty2FA is being used in campaigns that bypass multi-factor authentication by intercepting verification flows and abusing trusted services like Cloudflare Turnstile. Ontinue researchers report the kit uses subdomain rotation, domain-pairing, geo-blocking and dynamic corporate branding to make credential pages appear legitimate. The framework simulates SMS, authenticator apps, push approvals and even hardware-token prompts, routing victims through Turnstile gates to filter automated analysis before harvesting credentials.

Social-Engineered Help Desk Breach Costs Clorox $380M

🔐 Attackers affiliated with the Scattered Spider group exploited weak vendor phone procedures to obtain repeated password and MFA resets from Cognizant’s service desk, then used the access to escalate to domain-admin footholds at Clorox. Clorox says the intrusion caused roughly $380 million in damages, including remediation and extended business-interruption losses. The case highlights failure to follow agreed verification processes and the amplified risk of outsourced help desks. Organizations should enforce out-of-band caller verification, immutable reset logs, and automated containment to reduce the attacker window.

Salty2FA Phishing Kit Undermines Confidence in MFA

🔐 A newly uncovered phishing campaign uses the Salty2FA phishing‑as‑a‑service kit to bypass multi‑factor authentication by intercepting verification methods, rotating unique subdomains and hiding behind Cloudflare Turnstile gates that filter automated analysis. Ontinue found the kit simulates SMS, authenticator apps, push prompts and hardware tokens while dynamically applying corporate branding to match victims' email domains. Industry experts characterize this as a more mature, evasive form of phishing and recommend phishing‑resistant authentication, runtime inspection and continuous user training.

Axios User Agent Enables Mass Automated Phishing Campaigns

🔍 ReliaQuest reports a sharp rise in automated phishing campaigns leveraging the Axios user agent and Microsoft's Direct Send feature, observing a 241% increase between June and August 2025. Attacks using Axios represented 24% of malicious user-agent activity and had a 58% success rate versus 9% for other incidents. When paired with Direct Send, success rose to 70%, prompting guidance to restrict Direct Send, enforce anti-spoofing, scan inbound messages for QR codes/URLs/PDFs, train users including executives, and block uncommon TLDs.

Plex Urges Password Resets After Customer Data Breach

🔒 Plex reports an unauthorized third party accessed a limited subset of customer authentication data, including email addresses, usernames, and securely hashed passwords. The company says it quickly contained the incident and that no payment card information was stored on its servers. Because Plex did not disclose the hashing algorithm used, it recommends users reset their passwords, enable two‑factor authentication, and use the “Sign out connected devices after password change” option to terminate active sessions. Plex reminded customers it will never request passwords or card details by email.

Stopping Ransomware Before It Starts: Pre-Ransomware Insights

🔒Cisco Talos Incident Response (Talos IR) analyzed pre-ransomware engagements from January 2023 through June 2025 to determine which controls most often prevented ransomware deployment. Rapid engagement with incident responders and near-immediate action on EDR/MDR alerts were the two strongest correlates of stopping encryption. Talos found that aggressive blocking and quarantine settings, strict identity and privilege controls, improved logging, and early notifications from partners materially increased the chance of eviction before encryption. The guidance focuses on securing remote services, credential protection, application allowlisting, and network segmentation.

Microsoft Enforces MFA for Azure Portal Sign-ins Globally

🔐 Microsoft has completed a global rollout enforcing multifactor authentication (MFA) for Azure Portal sign-ins across 100% of tenants as of March 2025. The rollout follows an initial enforcement announcement in May 2024 and prior warnings to Entra global admins to enable MFA to avoid access disruptions. Microsoft says this step strengthens account defenses and will be followed by mandatory MFA for Azure CLI, PowerShell, SDKs, and APIs in October 2025. The company cites internal research showing MFA dramatically reduces account takeover risk.

Azure Phase 2: Mandatory MFA for Resource Management

🔒 Microsoft is starting Phase 2 of mandatory multi-factor authentication for Azure resource management operations on October 1, 2025. Enforcement at the Azure Resource Manager layer will be applied gradually via Azure Policy, requiring users to complete MFA before performing management actions. Workload identities (managed identities and service principals) are not affected. Administrators should enable MFA, test policy in audit mode, and ensure Azure CLI 2.76 and Azure PowerShell 14.3 or later are in use for best compatibility.

Latest Social Engineering Trends Targeting Enterprises

🛡️Social engineering remains the favoured vector as attackers combine psychological manipulation with accessible AI tools to target high-value corporate roles. Recent incidents show sophisticated pretexting, voice cloning and mass email flooding used to create urgency and extract funds or credentials. Fraudsters increasingly exploit collaboration platforms such as Microsoft Teams and legitimate utilities like Quick Assist to appear trustworthy and gain remote control. Organizations should harden collaboration settings, enforce conditional access and MFA, and reduce privilege scope to limit the blast radius of any compromise.

Sharp Rise in Cyberattacks on German Education Sector

🔒 Researchers at Check Point report a 56% year-over-year increase in cyberattacks against German educational institutions as the new school year begins, well above the global average. Analysts observed targeted phishing campaigns, including an August 2025 scheme that redirected victims to fake university and Outlook login pages to harvest credentials. To mitigate risk, experts recommend targeted phishing awareness training, mandatory multi-factor authentication (MFA), early detection of suspicious domains, regular system updates and deployment of modern threat-prevention solutions as part of a preventive, multi-layered security strategy.

Under Lock and Key: Strengthening Business Encryption

🔒 Encryption is a critical layer in modern data protection, safeguarding sensitive and business‑critical information both at rest and in transit. The article outlines key drivers — remote/hybrid work, explosive data growth, device loss, third‑party risks, ransomware and insider threats — that make encryption essential. It recommends robust algorithms such as AES-256, centralized management and solutions for disks, files, removable media and email, alongside minimal end‑user friction. The piece also warns that regulators and insurers increasingly expect strong encryption as part of compliance and underwriting.

Principal Financial Adopts Biometrics to Stop Account Fraud

🔐 Principal Financial replaced brittle knowledge-based authentication with a digital ID verification and biometric platform to block account takeovers. Using DIVA with a focus on facial recognition and an implementation by Onfido (an Entrust company), the insurer completed rollout within months. The change has virtually eliminated fraudulent registrations and improved user success and completion rates while preserving usability.

Six Browser-Based Attack Techniques to Watch in 2025

🔒 This article outlines six browser-based attack techniques—phishing with reverse-proxy AitM kits, ClickFix/FileFix command-injection lures, malicious OAuth grants, rogue extensions, weaponized file downloads, and credential attacks exploiting MFA gaps—that security teams must prioritize in 2025. It explains why the browser has become the primary attack surface as users access hundreds of cloud apps, and why traditional email/network controls and endpoint defenses often miss these threats. The piece argues that effective detection requires real-time browser-level visibility and management across managed and unmanaged apps, highlighting Push Security as a vendor offering such capabilities.

Tycoon Phishing Kit Uses New Link Obfuscation Techniques

🔐 Barracuda researchers have detailed new link-obfuscation capabilities in the Tycoon Phishing-as-a-Service kit that hide malicious destinations from scanners and recipients. Observed techniques include URL encoding with '%20' invisible spaces, deceptive Unicode characters, hidden codes appended to links, redundant protocol prefixes, and subdomain manipulation. Attacks also incorporate a fake CAPTCHA stage and tools aimed at bypassing multi-factor authentication, enabling more effective email-based social engineering and evasion of traditional filters.

Google provides ChromeOS workarounds for ClassLink/Clever

⚠️ Google is investigating authentication failures that prevent sign-ins to Clever and ClassLink on affected ChromeOS devices running build 16328.55.0 with Chrome 139.0.7258.137. The problem can disrupt Single Sign‑On and some 2‑Step Verification flows, blocking access to educational platforms. As temporary mitigations, administrators can roll back devices to ChromeOS M138 via the Google Admin console or change LoginAuthenticationBehavior to use the default GAIA authentication flow while Google validates a fix.

Cloud CISO Perspectives: Fighting Cyber-Enabled Fraud

🔒 David Stone and Marina Kaganovich from Google Cloud’s Office of the CISO warn that cyber-enabled fraud (CEF) is scaling rapidly and presents severe financial and reputational risk. The post cites FBI data — $13.7 billion in losses in 2024 — and highlights common tactics such as phishing, ransomware, account takeover, and business email compromise. It urges CISOs and boards to shift from siloed defenses to a proactive, enterprise-wide posture using frameworks like FS-ISAC’s Cyber Fraud Prevention Framework and Google Cloud detection and protection capabilities.

Storm-0501 Deletes Azure Data and Backups After Exfiltration

🔒 Microsoft Threat Intelligence details a campaign by Storm-0501 that exfiltrated data from a large enterprise’s Azure environment, then deleted backups and encrypted remaining resources to block recovery. The actor abused Entra Connect synchronization, elevated to Global Administrator, and used Azure Owner privileges to steal storage keys and transfer blobs via AzCopy. Microsoft recommends enabling blob backups, least privilege, logging, and Azure Backup to mitigate these cloud-native ransomware tactics.